Privacy Policy
LustMonster.com | 144 Fishponds Rd, Eastville, Bristol BS5 6PT, United Kingdom
sales@lustmonster.com
Effective Date: 18 June 2025
This Privacy Policy governs the manner in which LustMonster ("we", "our", "us") collects, uses, maintains, and discloses information collected from users ("User" or "you") of the website https://lustmonster.com ("Website"). We are fully committed to protecting your privacy and operating in compliance with the General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and all applicable international and local data protection laws.
LustMonster collects specific categories of information to deliver orders, secure our platform, comply with legal requirements, optimise customer experience, and protect our business operations. We do not collect any data beyond what is necessary for the legitimate functioning of our services.
Personal data refers to any information that can be used to directly or indirectly identify a natural person. We collect such data only when you actively interact with our website or services. This includes:
We explicitly do not collect any special categories of personal data as defined under Article 9 of the GDPR, including racial or ethnic origin, political opinions, religious beliefs, genetic or biometric data, health status, or sexual orientation.
We automatically collect non-personal information when you interact with our website, including device specifications, browser data, session behaviour (page visits, click sequences, scroll depth), approximate geographic region (based on anonymised IP), and time zone. This data is anonymised wherever feasible and used for business intelligence and fraud detection purposes.
LustMonster does not directly process or store full payment credentials. All financial data is securely processed by third-party PCI-DSS Level 1 certified gateways. We retain only limited payment metadata for transactional integrity and fraud prevention, including card brand, last 4 digits, billing postcode, transaction reference IDs, and digital wallet identifiers. These records are retained for a minimum of 7 years in compliance with financial obligations.
To protect our infrastructure and improve user experience, we deploy the following automated tools:
Third-party tools deployed include Google Analytics (with IP anonymisation), Meta Pixel (only with explicit consent), Cloudflare security suite, and Shopify analytics. You may opt out of non-essential cookies via our Cookie Consent Manager.
LustMonster processes personal and non-personal data only for lawful, specific, and limited purposes in accordance with GDPR Article 5. Every processing activity is mapped to one of the following legal bases: contractual necessity, legal obligation, legitimate interest, or explicit consent.
We use your data to validate and confirm orders, calculate shipping, generate invoices, notify you of order and shipment status, and resolve delivery exceptions. Shipping details including name, address, and phone number may be shared with carriers and customs authorities as required.
We use payment metadata to screen transactions for fraud, comply with AML and KYC regulations where applicable, and assist with chargeback or dispute resolution. High-risk orders may be flagged and cancelled automatically or manually.
All support correspondence and metadata is retained to verify identity, review past orders, provide technical assistance, and resolve disputes. Support interactions are logged for internal accountability and training.
We may process or retain your data to comply with tax reporting obligations, cooperate with law enforcement under lawful warrant or court order, and maintain records required by applicable retention laws.
We use your contact information to send order confirmations, shipping notifications, password resets, and important updates about policy or platform changes. These are transactional messages and do not require prior consent. You cannot opt out unless you delete your account entirely.
By providing your email address — whether during account registration, order placement at checkout, newsletter subscription, or any other interaction with our website — you agree to receive marketing communications from LustMonster.com, including promotional offers, product updates, and newsletters.
You may withdraw your consent and unsubscribe at any time by clicking the "Unsubscribe" link included in every marketing email or by contacting us at sales@lustmonster.com. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. We do not engage in cold email marketing or third-party list purchases.
We process anonymised usage data to analyse sales trends, optimise navigation and product display, identify errors, and measure campaign performance. All analytics data is anonymised where possible and never used to create behavioural profiles or sold to third parties. We do not perform automated decision-making or profiling under GDPR Article 22.
We log and process data related to suspicious login attempts, abuse of promotional codes, checkout tampering, scraping violations, and attempts to bypass geo-restrictions. This data may be shared with hosting providers, CDN security layers, and threat intelligence vendors under strict agreements, and is retained for up to 36 months.
This section applies to individuals in the EEA, UK, and Switzerland. Every processing activity performed by LustMonster is mapped to one or more of the lawful bases under GDPR Article 6(1).
Processing required to accept and process orders, manage payments and refunds, deliver goods, provide order-related support, and verify identity for account matters.
Processing required by tax and customs regulations, accounting and recordkeeping laws, consumer protection legislation, and law enforcement cooperation (e.g., fraud investigations, data preservation under subpoena).
Processing for fraud and abuse detection, security event logging, IT infrastructure protection, defence against legal claims, service improvement, anonymised analytics, and demand-based inventory management. We conduct documented Legitimate Interest Assessments (LIAs) to ensure proportionality. You have the right to object at any time.
Processing based on freely given, specific, informed, and unambiguous consent. Examples include: opting in to marketing emails or newsletters, accepting non-essential cookies or tracking pixels, participating in surveys, and requesting restock notifications.
You may withdraw consent at any time by clicking the unsubscribe link in marketing emails, adjusting cookie preferences, or contacting sales@lustmonster.com. Withdrawal does not affect the lawfulness of prior processing.
If you are located in the EEA or UK, you are entitled to the following rights under GDPR Articles 12–23. Requests may be submitted to sales@lustmonster.com. We will respond within 30 calendar days of receiving a verified request.
Request confirmation of whether we process your personal data and obtain a copy, including processing purposes, data categories, recipients, retention periods, and sources.
Request correction of inaccurate, incomplete, or outdated personal data. Certain fields may be archived rather than overwritten for audit integrity.
Request deletion of your personal data when it is no longer necessary, when you withdraw consent, when you object and there are no overriding legitimate grounds, or when it has been unlawfully processed. Exceptions apply for legal compliance, fraud prevention, and active contractual obligations.
Request suspension of data processing while contesting accuracy, during objection assessment, or when processing is unlawful but you prefer restriction over deletion.
Request your personal data in a structured, machine-readable format (e.g., JSON, CSV) where processing is based on consent or contract and carried out by automated means.
Object to direct marketing at any time — this right is absolute and will be actioned immediately. You may also object to processing based on legitimate interests; if we cannot demonstrate compelling overriding grounds, we will cease processing.
We do not engage in automated decision-making that produces legal or equivalent significant effects on users. Any fraud scoring or risk assessment is subject to human oversight.
If you believe your rights have been violated, you may lodge a complaint with your local supervisory authority. A list of EU data protection authorities is available at https://edpb.europa.eu/about-edpb/board/members_en. We encourage you to contact us first at sales@lustmonster.com so we can attempt to resolve the issue directly.
If you are a California resident, you are entitled to specific rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), effective January 1, 2023.
In the past 12 months, LustMonster has collected the following categories of personal information about California residents:
|
Category (CCPA §1798.140) |
Examples |
Source |
Shared With |
|
A. Identifiers |
Name, email, address, phone, IP |
Direct from user |
Service providers |
|
B. Commercial information |
Products purchased, order history, refund records |
Direct from user |
Payment processors |
|
C. Internet activity |
Page views, session duration, cart activity |
Automated |
Analytics vendors |
|
D. Geolocation data |
General region based on IP (country/state) |
Automated |
None |
|
F. Payment metadata |
Payment type, masked card ID, billing ZIP |
Payment gateway |
Fraud screening |
|
G. Inferences (anonymised) |
Product category interest (non-personal) |
Analytics |
Internal only |
We do not collect sensitive personal data as defined in Cal. Civ. Code §1798.140(ae), biometric or health data, or government identifiers. We do not sell personal information or engage in cross-context behavioural advertising.
To submit CCPA requests, contact sales@lustmonster.com with subject line "CCPA Request". We will respond within 45 calendar days.
LustMonster uses cookies and tracking technologies to enable core functionality, protect platform security, analyse performance, and enhance customer experience. Our use complies with the EU ePrivacy Directive, GDPR, UK PECR, and CCPA/CPRA.
Strictly Necessary – Essential for the website to function. Cannot be disabled. Includes authentication tokens, cart sessions, security tokens, and load balancing cookies.
Performance and Analytics – Collect anonymised data on visitor interactions to improve usability. Includes Google Analytics (IP anonymised) and Shopify Analytics. Activated only after opt-in consent in the EU/UK.
Functional – Remember your preferences (language, currency, region). Disabling them may reduce site functionality.
Targeting and Advertising – Used for audience segmentation or campaign tracking. Disabled by default; activated only with prior affirmative consent.
Users in the EEA and UK are presented with a cookie consent banner on first visit, allowing granular control over cookie categories. Consent is valid for 12 months or until withdrawn. No non-essential cookies are deployed before consent is obtained. You may update preferences at any time via the "Cookie Settings" link in our footer.
Most browsers allow you to view, delete, or block cookies. Disabling all cookies may prevent use of key features including checkout, login, and account access. Browser-specific instructions are available via your browser's help documentation.
We engage a limited number of external service providers to assist with specific technical and operational functions. All providers are bound by strict legal and contractual obligations, including GDPR-compliant Data Processing Agreements (DPAs).
We do not permit third-party marketing trackers, retargeting ad networks, or embedded SDKs that collect personal information beyond the contracted scope.
We are based in the United Kingdom and store the majority of customer data within the UK and EEA. Where data is transferred internationally, we ensure compliance with applicable data protection laws through the following mechanisms:
Typical transfer scenarios include payment tokenisation (US/UK-routed), email infrastructure, and cloud-based fraud detection. All data exports are logged and monitored. We encrypt sensitive fields at rest (AES-256) and in transit (TLS 1.2+).
You may request information about transfer countries, applicable SCCs, or request that your data not be transferred outside your jurisdiction (subject to service limitations) by contacting sales@lustmonster.com.
LustMonster retains personal data only for as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Retention periods are category-based and subject to scheduled deletion or anonymisation.
|
Data Category |
Retention Period |
Rationale |
|
Order & transaction data |
7 years |
Tax, accounting, fraud prevention, statutory limitation periods |
|
Account data (active users) |
While account is active |
Required to deliver services and support |
|
Account data (inactive > 24 months) |
Deleted or anonymised after 24 months |
Data minimisation and GDPR compliance |
|
Customer support correspondence |
3 years from last interaction |
Service history, legal defence, dispute resolution |
|
Marketing consent & preferences |
Until opt-out + 2 years |
Proof of consent under GDPR and marketing law |
|
Email marketing activity (anonymised) |
24 months |
Analytics and business performance |
|
IP addresses & user agents (logs) |
30 days |
Security monitoring and fraud detection |
|
Payment tokens / identifiers |
5 years max |
Repeat orders and fraud review (no card numbers stored) |
|
Security & fraud event logs |
36–60 months |
Abuse detection, chargeback defence, GDPR Art. 32 |
|
Tax, VAT, and legal records |
6–10 years (jurisdiction-dependent) |
Mandatory statutory retention obligations |
|
Abuse reports / confirmed fraud records |
Permanently or until appeal |
Blacklist enforcement and litigation |
Once retention periods expire, data is either permanently deleted from all active and backup systems, or anonymised in accordance with ISO/IEC 20889 standards, rendering it non-identifiable.
Data involved in pending litigation, fraud investigations, regulatory inquiries, or tax audits may be retained beyond standard periods until the matter is formally resolved.
To request deletion of your data, contact sales@lustmonster.com with the subject line "Data Deletion Request". We will respond within 30 calendar days, explaining what can and cannot be erased and why.
LustMonster implements a layered, risk-based security framework to ensure the confidentiality, integrity, and availability of all user data.
In the event of a data breach or confirmed unauthorised access, we commit to: immediately isolating and containing the breach; investigating scope using forensic tools; notifying affected customers within 72 hours where required by GDPR, UK GDPR, or CCPA; cooperating with legal authorities; and documenting the incident and prevention improvements.
Security researchers who discover vulnerabilities may report them to sales@lustmonster.com. We pledge to acknowledge good-faith reports within 7 business days and not to pursue legal action against responsible disclosures.
Our website, products, and services are strictly intended for adults aged 18 and over (or the age of majority in your jurisdiction, whichever is higher). We do not knowingly collect, solicit, or process personal information from anyone under 18. If we become aware that we have inadvertently collected data from a minor, we will immediately delete all associated data and disable any related account or order.
We implement age-gating mechanisms and visible warnings to discourage access by underage individuals. Parents and guardians who believe a minor has accessed our site should contact sales@lustmonster.com (subject: "Minor Data Concern"). We will respond within 7 business days.
This policy aligns with GDPR Article 8, COPPA (US), the UK Children's Code, and PIPEDA guidance on minors.
To exercise any of the rights described in this Privacy Policy, contact us at:
sales@lustmonster.com
Please include your name, the email address linked to your account or order, a description of your request, and proof of identity. We will respond within 30 calendar days; complex requests may take up to 60 days with written notice.
You may also contact your local data protection authority:
This Privacy Policy is binding upon all users of LustMonster.com. By accessing or interacting with our website, placing an order, or submitting any personal data, you confirm that you have read and understood this Privacy Policy and accept the terms stated herein.
We reserve the right to modify this policy at any time to reflect changes in law, business practices, or security guidance. Material changes will be published on our homepage and, where applicable, notified via email. Continued use of the site constitutes acceptance of the updated version.
Effective Date: 18 June 2025
LustMonster | 144 Fishponds Rd, Eastville, Bristol BS5 6PT, United Kingdom | sales@lustmonster.com